High severity7.5NVD Advisory· Published Dec 27, 2017· Updated May 13, 2026

CVE-2017-17848

Description

An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlnvdThird Party AdvisoryVDB Entry
seclists.org/fulldisclosure/2019/Apr/38nvdMailing ListThird Party Advisory
www.openwall.com/lists/oss-security/2019/04/30/4nvdMailing ListThird Party Advisory
lists.debian.org/debian-lts-announce/2017/12/msg00021.htmlnvdMailing ListThird Party Advisory
lists.debian.org/debian-security-announce/2017/msg00333.htmlnvdMailing ListThird Party Advisory
sourceforge.net/p/enigmail/bugs/709/nvdThird Party Advisory
www.debian.org/security/2017/dsa-4070nvdThird Party Advisory
github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000